Wednesday, March 05, 2008

why anti-virus vendors are having such a hard time

ok, first of all, the fact that there are a bunch of links back to this blog has absolutely nothing to do with why i'm responding to a post about why anti-virus products are having a hard time... that said, wow, i'm glad somebody liked those posts...

the links just spelled out some backstory, as it were... the main thrust was to highlight two reasons why av products are (or at least seem to be) having a hard time...

the two reasons given are technically about why scanners specifically are becoming less effective against malware... i agree that the reasons given are contributing to problems for scanners - packers make it easy to turn a known piece of malware into an unknown piece of malware, and pre-release detection testing helps avoid releasing malware that heuristics would detect...

but both of these things (besides being outside the scope of what known-malware scanning is supposed to handle since they specifically deal with new/unknown malware) are largely out of the av vendor's control... there is something that av vendors do have control over that is contributing even more to av products seeming to have a hard time - that being a failure to adequately manage their users... they've failed to manage user understanding of threats, they've failed to manage user awareness of the tools available for mitigating the risk posed by those threats (leading to the notion that av products are just scanners - a notion that is so pervasive that most security bloggers, including the one whose article i'm responding to, give opinions and pose logical arguments based on the assumption that it's true), and ultimately (and as a result of their other failures) they've failed to manage user expectations about what those tools can do... the real reason scanners specifically are having such a hard time is that they don't get the backup they require... they were never meant to handle all malware problems (and certainly never capable of it), only known malware problems...

one of the most novel examples of this failure is the rising anti-botnet market as discussed in this eweek article on the said market... one of the first anti-botnet applications i heard about in the mainstream was the one being provided by symantec... they released it as a separate stand alone tool and though i hoped they'd see the light and integrate it into their main anti-malware offering it seems that they've decided instead to treat it as and exciting new potential revenue stream and started charging money for it (not that i think there's anything wrong with charging money for a product, but if it's product-ready then why is it separate from the rest of their anti-malware offerings? or alternatively, if they're going to offer individual tools as well as suites, why aren't there more stand-alone tools?)... this fracturing of the anti-malware market comes at the expense of being able to communicate a clear and comprehensive message to the user/customer about anti-malware security.... without anything else to tell them how anti-malware security works (and for the most part there isn't anything else that regular people would be exposed to), the way the technologies themselves are presented implicitly communicates this to the user and fracturing your own set of offerings to make some extra green is a failure to properly manage this implicit message...